Hi, This afternoon I was getting swamped by an attack from a host in Malaysia. I am pretty new with wireshark. And would like to know if this traffic from the host 175.136.20.105 to my load balancer had any other anomalies. I also noticed that there were a lot of TCP dup acks and zero len acks. After blocking this IP, my site recovered. Is there something in these packets that can give me additional insights? The capture can be found on http://www.cloudshark.org/captures/4922bebc6d4f Would appreciate help from any kind soul. Thanks in advance. asked 20 Jun '13, 06:26  diden edited 20 Jun '13, 08:25 |
One Answer:
I can see lot of GET Requests from this guy(175.136.20.105). He is looking for some real estate details and property news.Hope he will be your customer in future(Kidding). My 2 Cents here. Open the capture using T-Shark and collect all the http GETs from him,save them to a text file,Open and start analyzing for any anomaly. Example: tshark -r <yoursuspiciouscapturefile.pcap> -Y http -Tfields -e http.request.uri > file.txt file.txt contains all the URIs that 175.136.20.105 requested which might give you an idea what he is doing.. answered 20 Jun '13, 10:17  krishnayeddula edited 20 Jun '13, 10:18 |
